Hello,

I've just began using Linux RH 9 which has iptables for firewall. The current set of rules was generated by LOKKIT up to medium-level security. This means roughly ports up to 1024 blocked.

I'd like to give my other machine full access through internet (tcp, udp, icmp) and think this would be taken care off by adding a line or two to /sbin/sysconfig/iptables. Would also be nice to use a DNS instead of ip so updating isn't necessary.

What kind of commands should be used and does it matter in what order they are placed?

Cheers,

Imiro

Before giving you a portion of a firewall script, I would like to know your network configuration.

First, from reading your post I assume the firewall box is connected to the Internet. Then I assume the other machine is on a LAN behind the firewall, and you would like the firewall to "share" Internet access with the other machine.

Is this true?

Second, your firewall will need two network cards, one connected to the Internet, the other to the LAN containing the other machine (this could even be a crossover cable directly connecting the two computers if you have no hub or switch.

Do you have two network cards in the firewall?

Once we settle the network questions above, I can tell you how to do this. I can even supply you with a firewall script. However, after examining lokkit, I see that it has no provision for enabling Internet sharing. My approach is to not use the iptables service at all, but to write my own rules that activate when my firewall boots up.

Also, what do you mean when you say you want to use DNS instread of ip? Do you mean DCHP? If so, I can tell you have to set up a DHCP server.

Let me know the answers to my questions and I'll get back to you. If you are new to Linux, these tasks can seem intimidating, but after you see how they are done it will make sense.

>First, from reading your post I assume the firewall box is connected to the >Internet. Then I assume the other machine is on a LAN behind the firewall, >and you would like the firewall to "share" Internet access with the other >machine.

My linux PC (I'll call it $A) is not firewalling a home LAN. It's firewall is only for securing it self. It's connected to the internet though. By the other PC ($B), I mean any PC that should get free access to $A through internet.

>Also, what do you mean when you say you want to use DNS instread of >ip? Do you mean DCHP? If so, I can tell you have to set up a DHCP server.

Oh my bad I meant to use www.mydomain.org instead of the exact IP in the iptable -rules.

After reading what tutorials I could find, it seemed like this can be done quite simply by adding lines to the iptables -ruleset like this:

-A RH-Lokkit-0-50-INPUT -p udp -m udp -s som.eip.her.e -d 0/0 --dport 0:1023 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p udp -m udp -s som.eip.her.e -d 0/0 --dport 2049 -j ACCEPT

In this case I'd like to accept all traffic from and to that "some ip" and infact use a domain name instead. But since I've never done it, I don't really trust I got it right.

If you want to access computer $A from computer $B over the Internet I recommend using secure shell (ssh) and only opening that port. I would not use rules like you have written that open so many ports.

Ok then, how would it be done on port basis? Let's say i want to enable traffic to a certain port on $A using tcp-protocol from one ip or domain.

Incase there's noobs such as I out there left wondering, simplest way to do it is this:

iptables -I INPUT -p tcp -s som.eip.her.e --dport 80 -j ACCEPT

Maybe a little explanation on the options:

"-I" means this rule concerns incoming packets and that the line is inserted to the beginning of the rule-set, because later more restrictive rules might conflict it.
"-p" protocol
"-s" source address, can be replaced by hostname (but then more vague, less secure)
"-dport" destination port on your machine
"-j" if packet matches this rule, accept it

Generally if you leave out definitions, the rule becomes more sloppy in what it allows.

As viz recommended, this is probably not the safest way to go but it gets the job done incase your in a hurry to allow specific connections.

Hopefully some one corrects me, if I still didn't get this right

This is correct. There are other points worth noting.

1. Instead of the port number, you can put the name of the service if it is listed in /etc/services. In this case, the number "80" in the example becomes http.
2. If you list a service name or port with the --dport flag, the -p flag along with the protocol type is required. In other words, in order to gain access to the --dport flag, you must first indicate the protocol.


You may already know this, but I figured if you were new to iptables it might be worth mentioning.